Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Duplicate Project Name and Version when Cloning and Uploading BOM File #4411

Open
2 tasks done
eugenhoffmann opened this issue Nov 27, 2024 · 1 comment
Open
2 tasks done
Labels
defect Something isn't working help wanted Extra attention is needed p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/M Medium effort
Milestone

Comments

@eugenhoffmann
Copy link

eugenhoffmann commented Nov 27, 2024

Current Behavior

We have observed a race condition that leads to duplicate project names and versions in Dependency-Track when triggering a project clone and immediately uploading the BOM file to the project clone without waiting for the clone to complete.

Note: The issue was not observed in Dependency-Track version 4.11

Steps to Reproduce

  1. Trigger a project clone using the API "api/v1/project/clone" without awaiting the completion
  2. Immediately upload the BOM file with the "auto-create" parameter to the project clone using the API "api/v1/bom", specifying the same project name and version.
  3. Observe the projects in Dependency-Track and verify that a duplicate project name and version is created.

Expected Behavior

A single project with a unique name and version should exist in Dependency-Track.
The BOM upload should fail or the system should wait until the clone process is complete before uploading the BOM file in Dependency-Track

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.8

Browser

Google Chrome

Checklist

@eugenhoffmann eugenhoffmann added defect Something isn't working in triage labels Nov 27, 2024
@nscuro
Copy link
Member

nscuro commented Nov 27, 2024

In v4.11, project cloning was not an atomic operation. This means that the new project version was visible to other processes way sooner than it is now (assuming READ COMMITTED isolation level).

Unfortunately we can't use a unique constraint on NAME andVERSION in the database, because version can be NULL. In some databases, unique constraints allow multiple NULL values.

Working around this is possible using partial indexes, but the ORM we use doesn't support (i.e. cannot create) those.

For completeness, we were able to apply such partial indexes in v5.x, where we can focus on PostgreSQL: https://github.com/DependencyTrack/hyades-apiserver/blob/cdfd62d4a0ba0b96d66ca9910ce6226710488ca2/src/main/resources/migration/changelog-v5.4.0.xml#L17

Not sure what we can do to prevent this without help from the database, outside of maybe acquiring a lock before creating a project.

@nscuro nscuro added help wanted Extra attention is needed p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/M Medium effort and removed in triage labels Nov 29, 2024
@nscuro nscuro added this to the 4.12.3 milestone Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
defect Something isn't working help wanted Extra attention is needed p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/M Medium effort
Projects
None yet
Development

No branches or pull requests

2 participants